Check out my experiences in the Linux world. Stay tunned for updates/reviews!

Tuesday, March 23, 2010

Understanding viruses in Linux

Before I started using Linux I was exclusively using Windows. I had never tried Apple, and my interaction with UNIX systems was limited and very seldom. When I started using Linux, it was kind of a first off for many new concepts that had little or nothing to do with those of Windows.

One of the things that got my attention initially was reading that there were no viruses in Linux, which was quite a departure from Windows ways. I was always curious about that... How could it be? After all, Windows users are flooded with attacks, so how was Linux performing the magic? Inevitably, I started searching for answers and found out that it was a somewhat controversial concept. Some people claimed that Linux was mostly benefiting from a very small market share, thus making it unattractive for those creating viruses. Some others claimed it was down to the very diverse and segregated nature of Linux (countless distros, no unified packaging, etc.). Finally, there were also people who claimed Linux was completely immune to viruses and that those who claimed otherwise didn't know what they were talking about.

Eventually, I found no reason to doubt Linux immunity to viruses, so I took it for granted, and thought it was a given in general. My experience is that lots of new Linux users understand, just like I did, that "no viruses" equals "no security threats". I believe that this is mostly down to how the term "virus" has been abused and misused. It almost has become a "wildcard" for all things malware.

In this post I will try to give some background about viruses and Linux security, hopefully clarifying some potential voids and misconceptions while I am at it.

WHAT IS A VIRUS?

First off, let me say that it is TRUE that there are no Linux viruses. That much is right, but it doesn't really mean much as long as we don't know exactly what a virus is. Here's the definition from Wikipedia:

"A computer virus is a program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer"

This definition already clarifies many things. Here are the most important concepts:

- A virus must be an executable program.
- A virus must have the ability to run and copy itself somehow, with no user intervention.
- The only spread mechanism available for a true virus to infect a computer is through its host being on the target machine.

Now, if you have heard about the many forms of malware in existence, you will quickly realize this definition only covers a part of them. This subset is the one we Linux users should not be concerned about. I will briefly touch on the ones we should be conscious about at the end of this post, but for now, let's see why viruses are not our problem:

VIRUS BASICS AND LINUX ARCHITECTURE

As we just learnt, and this is a very important part of its definition, a virus must be able to "do its thing on its own". In other words, user interaction is not required and the virus activity should go unnoticed. There are two methods a virus can use to copy itself:

METHOD 1: Adding its own code to system executables.

Linux, being the good UNIX sibling it is, sports a file system that natively supports ownership and privileges. Simply put, here's how it would work in real life:

1.- If a user creates, copies or downloads a file into a Linux system, that file is owned by the user account and group, and it lacks executable rights. Therefore, it cannot execute itself (there is a practical exception to this which we will cover later).

2.- If the user is misled to trust some malicious piece of code and grants executable rights to it, it would still be bound to the user account's access rights, which are limited to the user home folder. Therefore if a user was having this kind of problem, it would be as simple as creating another account and moving the necessary files over to the new home folder. Note that in this case we would no longer be talking about a virus, for user interaction was required for the trick to work. In practical terms, a virus would have no way to infect any other applications unless it was run under the root (superuser) account.

The root (superuser) account is disabled on many Linux distros out of the box. If it is not, warning messages are displayed frequently while in use or at login time, trying to discourage the user from using it. In fact, unless you are a system admin, you should be able to get the most out of your Linux desktop without ever having to log in as root.

Please, DO NOT use the root account unless strictly necessesary!

METHOD 2: Anchoring itself to another process' memory during execution time

Linux runs on Intel's x86 architecture CPUs (AMD 64bits is actually an extension to Intel's x86), so it is important to understand how Linux uses it. The x86 architecture uses four rings, labeled 0 through 3. Linux uses 2 of those rings, namely ring 0 for Kernel (system) code and ring 3 for process(user tasks, applications, etc.) code. These two pieces of code are never mixed under Linux, they fall on different rings and there is only one "gate" for both to communicate. The fact of the matter here is that only the Kernel itself would be able to change this so a virus could exploit it.

So process code cannot infect kernel code... How about a process infecting another process?... Well, this is also a no go. The Linux kernel provides each process with an isolated piece of memory, one that is not shared with any other process. As a result, even if one of those processes scanned all memory available to it, it would not be able to address that of any other process, for it would be out of its scope. Long story short, this method does not work either.

Obviously, this is very technical talk, but hopefully I managed to explain why viruses are not a concern for Linux users without causing more confusion!!

OTHER FORMS OF MALWARE

Now that viruses are out of the way, let's talk a bit about other similarly malicious pieces of code.

ROOTKITS

Available for a wide variety of Operating Systems, Linux included, rootkits are either a modification to the kernel or to an application code. In the case of Linux, the former are most concerning, as they are very difficult to spot, and can compromise the whole system. As a result, even with the use of specific applications, it can be extremely difficult to detect a rootkit of this nature.

Fear not, for creating a successful rootkit for Linux is no trivial task. It must be created using the exact same code that will be available on the target machine, and its installation would once again require admin rights. Because of the sheer diversity in the Linux world, the fact that there are so many distros, so many packaging variants, etc., it would be very difficult to create something that could have any significant impact. Having said so, rootkit infections have been reported.

If you ran a certain executable you did not trust and suspect you could be infected by a rootkit, or if you simply want to give yourself some piece of mind, here's what you can do:

Because rootkits can become virtually undetectable during runtime, the best thing is to boot from a removable drive (CD-ROM, USB pendrive, etc). Then, use CHKROOTKIT or RKHUNTER , which are two popular rootkit scanners available for us Linux users.

TROJANS

Sometimes referred to as Trojan horses, these are applications designed to deceive the user, seemingly providing a service, while actually opening the door for a third party to remotely control the machine or access personal information. In other words, they can potentially steal passwords, confidential information, install software, log key strokes, use the machine for spamming, etc.

I have already discussed about a GNOME and KDE VULNERABILITY that would allow a trojan in the form of a launcher to execute without admin rights. It would still require the user to save the launcher locally and double click on it, but judging by how frequently that happened in Windows, I believe this should be something to watch out for.

Some users have reported being infected by trojans when using packages downloaded from a popular site containing eyecandy for the GNOME desktop. In fact, Linux users are potentially easy targets for such attacks, for what exactly could be wrong about anything downloaded from community resources? There is a sense of trust which is inherent to the community itself, and I believe that could be a weakness if it is misunderstood. Trust is fine, just do not be careless.

CONCLUSION

I guess the most important thing to take away from this article is that using Linux will do a lot for your computer security, but does not perform miracles. Viruses are no concern, but we sure cannot be careless. Be careful and protective of your own data and privacy. Stay away from using the root account, avoid running software from untrusted sources, never share your passwords... and react quickly if you think your computer has been compromised.

35 comments:

Well you can install software wich contains malware as sudo in a linux environment. The same as in windows. That's how many windows system are infected. There isn't a big difference wich os u use if the owner (root or admin) of that system doesnt know about threats. And, if you open ports to the internet, every system is vulnerable. I do agree that linux is a great system, but only succesfull in the right hands ...

I agree that a computer is only as smart as its user, so it is true that social engineering is threatening under any OS. That is exactly what I was trying to convey with my article. Having said so, I believe there is big gap between Linux and Windows on this matter.

And yes, I think the most dangerous thing in Linux world is "sudo" without password. You should never do that. I personally really don't like the sudo way. It opens too much doors for ordinary users, especially if it's usable with user password or without any password for that matter. No password is the worst, since any malicious script could execute it. With user password is somewhat better, because at least the user has to type by hand it's password and it is properly announced that it is giving root rights to some program/script/process/whatever.Still, if sudo is absolutely necessary on a system, for best security, it should always ask for root password.

Obviously this should not be a user's concern, but Linux distributions should adopt a proper way to give ordinary users root right with sudo. This is one of the weaknesses of Ubuntu. I think other distro's like Mandriva do it the right way.

I am not sure why you would consider sudo a problem. I think Ubuntu handles it right by disabling root access by default. Only admin users have access to sudo by default anyways, so it assumes that sudoers know what they are doing. Having said so, I understand that the default account created on installation must be an admin, which kinda defeats the purpose in a desktop, single user environment. It does make a lot more sense in a professional environment where the person setting up the machine is not necessarily the end user.

As far as my experience goes with Mandriva, I have used it on and off during the last two years, and personally I don´t see much of a difference. It may be better on certain things, but I don´t like you need to login as root to that "Config center" application in order to set up your wireless card, for example.

As for sudo asking for root password... Don´t you think that is a lot more dangerous? If a trojan managed to get the user password, that´s already very bad, but it would be a lot worse if it got the root password straight away, I think.

The purpose of sudo is to allow users that don´t necessarily know the root password to elevate to superuser rights for a single command. In a desktop-single-user environment this does not make much sense, but in a professional environment of a considerable size, I think it makes most sense. You may want to have many superusers who can perform certain administrative rights without having to share the root password with all of them.

I see your point of view, but I don't see Ubuntu as a corporate distro. You want corporate you go with commercial RedHat or free CentOS or other distros.

In most of the cases, at home user settings, the user knows the root password, and I still think it's better to give that for administrative rights than using you user password. To play with your example, if a malware finds out the user's password, it has root access ... that's not good. If sudo asks for root password, at leas your chances are 50% better (unless you have the same password for root and user).

And about the Mandriva Control Center or for that fact any other services, you can specify which services can be administered by which users ... long live "msec" the Mandriva Security Tool, so if I want some users to be able to manage network connections I can simply enable them to do so, right in MCC and without the need of sudo... but this is another story and I don't wanna start any kind of Mandriva vs. Ubuntu flame here. In my previous post I just took Mandriva as an example, many other distributions follows this sudo logic.

I always like to discuss matters because I always learn something new, and I find your point of view very interesting. I suppose nothing is perfect and in the end one sticks to that which fits one needs or ways of doing things.

And don´t get me wrong, Mandriva is a great distro which I very much love. I consider it the best KDE implementation along with Fedora. It´s just that once again I think Ubuntu fits my ways better.

As for Ubuntu being corporate material, well, I have mixed views on that one. I see where you are coming from and yes, RHE is the safe bet, specially because they have lots of experience with fairly big customers. However, I still think Ubuntu is perfectly suitable for medium to small companies, perhaps below 500 users in size. Combining Ubuntu clients with Debian servers, for example, sounds like a solid solution, IMHO.

It's too bad that SELinux isn't available in a user friendly way and that ACL's are under utilized and in fact I believe that even groups are poorly used. With SELinux even a root infection wouldn't damage much. Someday I wanna build the userfriendly selinux distro.

I agree with you. SELinux is driving me crazy under Fedora. It has a very cumbersome interface, which seems to provide useless messages. There is known bug that raises a warning or even stops Chromium from running.

Sadly, it feels like the typical Windows error interface which is just annoying. I really hope the major distros raise the same concern and get this feature matured enough for all kinds of users.

I have about 3 years Linux experience, mainly Ubuntu. When I setup a PC, I always create a user (called administrator) who is the only one with administrative privileges such as sudo use and root access and is only used for those type of things. Then all other users (who have different passwords) cannot do anything too risky (such as install an infected .deb). Obviously this isn't perfect but at least users (except administrator) should only be able to cripple themselves by malware. Any comments?

John Rose ... that's OK, in your situation, but let me ask you, when you started using Linux, how safe you were with sudo?

Obviously, I suppose here that you did not know what root or sudo means, as an ordinary newbe.

After all the comments I've seen here, the question to be answered by different Linux distributions is: "A dumb user should be able to do whatever it wants, or a dumb user should be educated by forcing upon him some not always friendly rules?"

And I think the final answer will come in time, there is no straight solution.

actually sudo is so abused by ubuntu... you can sudo anything. Ubuntu would be wise to make sudo only work for... 2 things I think. 1 the apt-utils (whatever this is called) and 2 cli text editors (vim, nano, emacs). Everything else... should not be run able by sudo out of the box. Then don't disable root logins but deny them from the login manager out of the box. This forces people to login as root to do truly stupid things. This won't prevent things like people installing bad packages from mostly trusted community repo's... but it would make the callus use of sudo end. Even better I say if you make it so root is disabled by default so they have to figure out how to use a livecd (or boot parameters) to bypass passwords to enable root.

Hello!!! I would like to add some extra information!The primary difference between Linux and many other popular contemporary operating systems is that the Linux kernel and other components are free and open source software.22dd

Hmmm.. I do agree with you in many parts but will have to think about it deeply. But have to say that it is quite well put though and did make me reassess many of my ideas about certain things. Many thanks for giving this different perspective.buy xopenex online

Your post has cleared my doubt about Linux virus .i have same thing in mind that some people said Linux does never infected by virus or some said it is.yes you are right we should careful and protective about our data and privacy.

Thank you for this great article, Chema. I kind of accidently came upon it. You explained it in a way that everybody (not only the nerds) should be able to understand.

I'm using linux on my desktop for quite a while now and am completely happy with it. Meanwhile distributions like Ubuntu make linux as easy to use as other proprietary operating systems.

There a many good reasons to switch over to open source. Unfortunenately most of us got used to the usage of proprietary products not knowing at all what this software does to our perception of the world (catchword: walled gardens) and our freedom.

The only problems I see are that linux doesn't come preinstalled, isn't well supported by the industry, is mostly not educated in schools (which is a real shame!) and still couldn't get rid of this somehow geeky and nerdish image it actually has lost a long time ago.

I'd like to point out that in my 15 years of Linux admin/IT management, I've only ever seen/experienced two rootkits/worms and both were on old Redhat boxes. The worm itself propagates via SSH/Telnet bruteforce. Common attack every even remotely competent Linux admin will notice in about 4 seconds. Unfortunately my clients previous Linux admin wasn't "even remotely competent", left SSH open to the Internet with no filtering whatsover, SSH allowed root login, root password was weak and was bruteforced in less than 2 million attempts (both cases). RKhunter found both worms in a few seconds but as these machines were about 6-8 years outdated, there was no where from which to attain the clean binaries so a new install was required.

I've never seen a Linux virus. I've heard rumours, sure, but thus far zero evidence. There are heaps of worms out there and I'm confident they are more of a security issue than trojans. Most inexperienced Linux users don't know how to install a .deb outside of their distro's respective package management GUI. Any even moderately experienced users know the telltale signs of malicious packages. Worms however, just start hitting you, and they'll hit you hard enough to cause problems regardless of whether or not your machine is itself, secure. A simple hydra based SSH bruteforce attempt can cripple your internet connection.

There are other more common issues when it comes to intentional and directed attacks against an individual or organisation running Linux. Arp poisoning takes only a few seconds to setup and unless you've got a very good managed switch, you're vulnerable (as with any OS). Blah blah blah. There are lots of security vulnerabilities.

Long short, virus' on Linux, as the author states, just really don't exist. A determined and malicious attacker will probably find a way in regardless, or will at least make your day interesting no matter how much experience and foresight you may employ. Don't piss someone off to that extent in the first place, is probably the best defence.